Bitdefender has exposed a dangerous new trojan, based on the now infamous ZeuS Banker Trojan. This trojan, named, Terdot, is designed to target social media and major email sites as well as banks. It is designed to gather credentials from Facebook, Twitter, Google Plus and YouTube and also targets email service providers such as Microsoft’s live.com login page, Yahoo Mail, and Gmail. In short, Terdot’s complex structure gives it the ability to become a very dangerous threat.
Not surprisingly, Terdot begins its attack through an email and an attached file hiding behind a PDF icon. Many of the emails only contain the icon, which should be suspicious. However, the ‘PDF file’ may be given a legitimate looking name. If that file is subsequently opened, the malware takes over the victim’s computer and browser, monitoring all of the victim’s activities. In most cases, it writes itself into the registry to gain persistence. However, if it does not have the rights to do this, it will send the victim this message.
Notice that it claims to be a Window’s utility and that it is verified by Microsoft Windows. Most users would think that was proof enough of validity and simply allow the malware to proceed to rewrite the registry. If it is given this permission, the malware will then persist even after a reboot. It, then, becomes extremely difficult to remove. As one virus removal site noted, “removing Terdot manually may take hours and damage your system in the process.”
Once on a victim’s computer, the malware has numerous ways to update itself and execute its code. It is almost impossible to block. It is also almost impossible to detect.
Terdot operates primarily through a Man-In-the-Middle (MITM) attack. It secretly becomes part of your browser and watches everything you do and intercepts communications and diverts them to pages that will steal your login credentials or credit card numbers. A key component of the malware is its ability to trick the browser into accepting all connections requiring SSL certificates (HTTPS sites). This includes sites that would normally trigger some sort of untrusted certificate warning, such as the following.
This means that even sites with the HTTPS designation are not safe. By accepting all certificates, the malware can direct the victim to legitimate-looking but nefarious sites that will gather login credentials or banking information. The exploit is deployed differently in Firefox and Microsoft browsers, but the result is the same.
Although Terdot is based on the architecture of the most infamous banking malware, ZeuS, it is designed to do much more. Yes, it does target banks. For the moment, it seems to be focusing on Canadian banks. That is, it leads victims to log into spoofed banking sites and, in so doing, captures their login credentials.
However, unlike ZeuS, according to Bitdefender, Terdot “can also eavesdrop on and modify traffic on most social media and email platforms.” It is designed to gather credentials from Facebook, Twitter, Google Plus and YouTube and also targets email service providers such as Microsoft’s live.com login page, Yahoo Mail, and Gmail.
So what can Terdot do if it gains access to your Facebook page? It can exploit your friends/contacts for one. It can post links to infected pages or send your contacts infected files to open in order to create more victims. Since your contacts think the files are from you, they would be more likely to open them. In addition, if you or your friends have credit card information stored on their sites, that, too, can be stolen. If they wanted to, they could lock you out of your account completely, but they appear to use these social media sites mainly to gather information and propagate their attacks.
So what can you do? First of all, be suspicious of any PDF file that is sent to you via email, even if it comes from a contact or a friend. If you have any doubts, ask those contacts if they, indeed, have sent you this file. If you can’t contact them, copy the file and check it on a site like Virus Total.
Apparently, the malware also tries to use the SunDown Exploit Kit to infect computers. The Sundown Exploit Kit (which is free) is used to direct a victim to infected web pages. Though the Edge browser is able to detect the malware, it seems that the operators behind Terdot are trying to find new ways to infect Edge. Through the SunDown Exploit Kit, Terdot has been found to be directing users to infected websites that contains the malware hidden in image files in a technique known as, steganography (for an explanation and examples, see my post on How Terrorists Communicate). In some cases, it downloads a blank image file from these sites which hides the malicious code.
Terdot targets devices using the Windows operating system. It specifically targets older Windows formats. Edge automatically updates, so it is safe for now. If you are using an older browser or you are not allowing automatic updates on Windows 10, then you are exposed.
For the moment, certain countries seem more vulnerable than others, as can be seen in the following chart.
Since the code for this malware is available for anyone to use, it can be honed for particular needs. Recently, According to some sites, Terdot has been converted into a ransomware delivery package. It could also be used to target key individuals in important companies or institutions through sophisticated spearphishing attacks that use legitimate-looking contacts. So, at least for now, whenever you receive an email with an attachment, a little paranoia is a good thing.